Buffer overflow vulnerabilities in the getauthfromURL() and http_open() functions have been reported by Carlos Barros. Additionally, the Gentoo Linux Sound Team fixed additional boundary checks which were found to be lacking.

Impact

By enticing a user to open a malicious playlist or URL or making use of a specially-crafted symlink, an attacker could possibly execute arbitrary code with the rights of the user running mpg123.